Researchers from Cisco Talos with the help of numerous threat intelligence partners, have identified at least 500,000 devices worldwide that have been infected with VPNFilter malware. Large segments of the malware’s code were repurposed from the notorious BlackEnergy malware, which was responsible for massive DDoS attacks targeting Ukrainian infrastructure resulting in widespread power outages.
The majority of known infected hosts are from small office or home network devices which usually act as the perimeter network device with little to no defense in depth. Many of these devices have publicly known exploits or default credentials that make compromising a device of this type trivial when best practices are not followed.
Known Affected Network Devices:
- Linksys
- MikroTik
- NETGEAR
- TP-Link
- QNAP NAS
The capabilities of the VPNFilter are numerous, and include unrestricted data collection from an affected device including banking credential theft, as well as the ability to execute a kill command to render the device unusable. Another area of concern is the VPNFilter’s ability to monitor Modbus SCADA protocols, which are commonly used by industrial devices/applications like the BlackEnergy malware, which rendered many of Ukraine’s power substations inoperable.
Proficio Threat Intelligence Recommendations:
- Users of SOHO routers and/or NAS devices ensure default credentials are changed and reset devices to factory defaults and reboot them in order to remove the non-persistent stage 2 and stage 3 malware.
General Info – Click Here